Apache Wicket
Moderate fix1 remedy
cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 8.0.0, <= 8.17.0
- >= 9.0.0, <= 9.22.0
- >= 10.0.0, <= 10.8.0
Apache Wicket FolderUploadsFileManager Path Traversal Vulnerability Allowing Arbitrary File Write and Read
Vulnerability
Patched
A vulnerability in the FolderUploadsFileManager component of Apache Wicket allows for path traversal attacks. The issue arises because the uploadFieldId parameter and clientFileName are not properly validated or sanitized before file paths are constructed. This flaw enables an unauthenticated attacker to write arbitrary files outside the designated upload directory or read files from any location on the server. The vulnerability affects Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0 through 9.22.0, and 10.0.0 through 10.8.0.
Impact
Exploitation of this vulnerability could lead to unauthorized file writes and reads, potentially allowing for further attacks or data exposure.
Remediation
Users are advised to upgrade to Apache Wicket version 10.9.0, which addresses this vulnerability. For those on Wicket 9.x, additional guidance may be needed, as Wicket 10.0 requires Jakarta J2EE.
Added: May 6, 2026, 10:22 AM
Updated: May 6, 2026, 10:22 AM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
2.9exploitability
5.3remediation
7.7relevance
7.6threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.